US2012096551A1PendingUtilityA1

Intrusion detecting system and method for establishing classifying rules thereof

36
Assignee: LEE HAHN-MINGPriority: Oct 13, 2010Filed: May 15, 2011Published: Apr 19, 2012
Est. expiryOct 13, 2030(~4.3 yrs left)· nominal 20-yr term from priority
G06F 21/55
36
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method for establishing classifying rules of an intrusion detecting system is provided with the following steps. First, at least one decision tree is provided. Internal nodes of the decision tree respectively represent an attribute judgment condition, and leaf nodes respectively represent an attack event or non-attack event. Next, a plurality of attribute data of at least one new attack event is received. Then, a tree structure of the decision tree is adjusted according to the attribute data. Afterwards, at least one attack rule or at least one non-attack rule is outputted according to the adjusted decision tree. Further, the intrusion detection system is also provided.

Claims

exact text as granted — not AI-modified
1 . A method for establishing classifying rules of an intrusion detecting system, comprising:
 providing at least one decision tree, wherein internal nodes of the decision tree respectively represent an attribute judgment condition, and leaf nodes of the decision tree respectively represent an attack event or a non-attack event;   receiving a plurality of attribute data of at least one new attack event;   finding the decision tree corresponding to the new attack event according to a clustering algorithm;   adjusting a tree structure of the decision tree corresponding to the new attack event according to the attribute data; and   outputting at least one attack rule or at least one non-attack rule according to the adjusted decision tree.   
     
     
         2 . The method for establishing classifying rules of the intrusion detecting system as claimed in  claim 1 , wherein the step of adjusting the tree structure of the decision tree comprises:
 adjusting the tree structure of the decision tree according to an incremental tree induction method.   
     
     
         3 . The method for establishing classifying rules of the intrusion detecting system as claimed in  claim 1 , wherein before the step of adjusting the tree structure of the decision tree, the method further comprises:
 normalizing the attribute data into a plurality of numerical data, wherein the numerical data are greater than or equal to 0 and are smaller than or equal to 1.   
     
     
         4 . The method for establishing classifying rules of the intrusion detecting system as claimed in  claim 1 , wherein before the step of adjusting the tree structure of the decision tree, the method further comprises:
 selecting at least one significant attribute data from the attribute data according to a significant attribute list, so as to execute the clustering algorithm according to the significant attribute data.   
     
     
         5 . The method for establishing classifying rules of the intrusion detecting system as claimed in  claim 1 , wherein the step of providing the decision tree comprises:
 batch learning a plurality of training events to establish the decision tree.   
     
     
         6 . An intrusion detecting system, comprising:
 a decision tree module, for storing at least one decision tree, wherein internal nodes of the decision tree respectively represent an attribute judgment condition, and leaf nodes of the decision tree respectively represent an attack event or a non-attack event;   a preprocessing module, for receiving a plurality of attribute data of at least one new attack event;   a clustering module, for finding the decision tree corresponding to the new attack event according to a clustering algorithm;   an adjustment module, for adjusting a tree structure of the decision tree corresponding to the new attack event according to the attribute data;   a rule output module, for outputting at least one attack rule or at least one non-attack rule according to the adjusted decision tree; and   an attack rule database, for storing the attack rule or the non-attack rule.   
     
     
         7 . The intrusion detecting system as claimed in  claim 6 , further comprising:
 a significant attribute list module, for storing a significant attribute list, wherein the clustering module selects at least one significant attribute data from the attribute data according to the significant attribute list, so as to execute the clustering algorithm according to the significant attribute data.   
     
     
         8 . The intrusion detecting system as claimed in  claim 6 , wherein the preprocessing module further normalizes the attribute data into a plurality of numerical data, wherein the numerical data are greater than or equal to 0 and are smaller than or equal to 1. 
     
     
         9 . The intrusion detecting system as claimed in  claim 6 , further comprising:
 a warning message generating module, for generating a warning message according to the attack rule database when being under attack; and   a warning message database, for storing the warning message.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.